Popular White Paper On This Topic

Some questions:
- Using external Ad-s in your site you do not even have full control to your website. Who is liable when that external ad get hacked?
- using tools for a website that contains a lot of exploits or for the ease of use have not isolations on certain boundaries, what would your like to protect in an open house?
- the dns / network part is outside your website environment but can effectively destroy any access.
Security tools are often just trying to monitoring changes that are not intended not expected. Seeing something when it goes obviously wrong and then try to intercept.
Would it not be more sensible to make is secure from design build and still monitor attempts?

It depends on the webserver and the OS. They each had different hardening techniques. But, whatever the situation, you need a good anti virus and anti malware system running on the server monitoring your www folders.

I also recommend a read only copy of your website be stored on a system not in the DMZ. You can do hourly (or whatever schedule) directory listing and file checksum comparisons to be sure nothing has been altered in any way and overwrite any changes if they are found. This will greatly reduce the impact any hack may have.

Use the right permissions. Keep the software up to date and install the
bare minimum needed to keep the site up. Use and really understand
selinux as it relates to the applications you must have installed.
Firewall everything that touches the Internet, even if it's an second or
third level connection, you should run a local firewall on the IP and
even the local loop. Use certificates where possible so you know where
transactions are coming from and that it isn't leaking clues. Develop
and continuously improve your code for sanity checks before saving data.
Take courses when you can to improve your skills, coding and security.
Subscribe and read the emails from security organizations (cert,
securityfocus, seclists, osvdb etc.) as well as the mailing list for
security issues with any software you have installed.

You'll still get hacked if someone is interested enough and has a zero
day. Be prepared to dump and rebuild at a moments notice. Pro's can
rebuild from bare metal at a moment's notice, real pro's already have a
spare machine picked out.

I would not place too much trust into anti-hacking 'TOOLS' be it software add-on or hardware appliance. It's been proven, that the best way to operating systems and applications is through hardening. Turn off unnecessary services, disable unnecessary features, follow recommended best practices and perform 3rd party penetration testing by a reputable security vendor. Despite their reputation Microsoft's Technet has many really good suggestions how to harden Windows, IIS, Active Directory.

Avoid using the classification "best practices" as that is associated with do that and you are ready with no need to evaluate think about forgotten issue and improve.
That attitude is one of the reasons for getting all those mess with hacks and data-leaks.

That reaction of "we have implemented all best practices" at the moment of data-leaks/hacks seen happening. For the ITIL part ( courses V3) that was the reason to change those words, no more best practices. But of course you should do a lot according what is already known. http://www.itskeptic.org/good-practice-and-best-practice A word blog on that phrase.

I think you're missing my point...Best Practices, Good Practices; call it what you want. The point I was trying to make is some system admins place too much reliance on security appliances, anti-hacking add-ons and buy-into marketing hype surrounding these shiny devices. Before spending 50K or 100K on a shiny new single-bullet appliance that is supposed to keep them safe from hackers, malware or what have you; they forget or fail to implement basic operating system or application hardening. A few examples. (disabling NetBIOS over TCP/IP, installing EMET, Enabling Windows Firewall and properly tuning it to block TCP 445 from other desktops only allowing specific IT admins or management servers, MS AppLocker, Java Deployment Rule Set) I see it all the time. Convenience will always trump security.

You guys really missed the question here. Best practices has nothing to do
with tools anymore than peanut butter has to do with dog lips. I used to
post signs up that read "What will your tombstone read," that showed people
doing really stupid stuff involving high voltage or car accidents.

Tools, what tools do we use to enhance our jobs? The first one of you to
mention Nmap loses two points and gets kicked off the island. Kali will
cost you five points and your brother-in-law gets to kick you in the
kneecap for plain old stupidity. You don't know who wrote those programs or
where that collected data goes.

You don't. Face it.

If you have been using those programs then maybe you have seen all the odd
communication traffic that moves alongside your normal "sex kitten"
traffic. Let me put this another way, you have no clue where your data is
going or who collects it besides you.

And don't even think about blaming FOSS. Hit yourself in the head with a
large hammer if you briefly considered that. Truecrypt shot the hell out of
that idea. If you don't know what Truecrypt is, get off this channel and
then hit yourself in the head with a 24 oz hammer. If you can't find a 24
oz hammer, I'll loan you mine. It works quite well for fixing broken
computers. Real coders use 24 oz hammers.

The question was "What security tool do you use on your web site." IBM
isn't an answer. A large hammer applied to the side of the head is a proper
answer. ISECOM is another good collection of web security tools. Please
spell that correctly since we didn't sell out like others did. Stop
bitchen, peddling crap products (written by programmers in foreign lands)
and answer the questions as they are posted.

I don't disagree. I worked for IBM from 1974 - 2002. For the first 20 years, it was a great company. "Respect for the Individual" was the mantra (and it really meant something). Then it became just like every other big company. Shareholder value and the bottom line became the guiding principles. "Think" ain't the mantra anymore.

You'll notice that for the past 8 quarters, the overall revenue has declined. Profits are up solely on cutting costs.

Bob - While this list has plenty of curious people on it (in the comedic
sense) all are interested in security, most need it to do their jobs and
some make their mortgage payments in the security field. I suspect very
very few of them have a 24oz hammer to hand.

There's nothing wrong with awe-stem, however at some point you have to
get out of the classroom and actually implement some tools.

I don't quite understand the aversion to using tools, although I agree that the RELIANCE on tools is a bad thing. That said, if all you know how to do is run a tool and it finds some basic flaw and suggests a remediation that you can understand and implement, all well and good (you'll still get owned, just not from that flaw :-)

I'm surprised that no-one has mentioned a secure development lifecycle. The most secure platform in the world can be easily undermined by what runs on it, and (in my experience), this is usually the case. You can build the world's most secure foundation, but if you build a house of cards on top of it, its still going to fall over....

@nixster you are right. The first goal should a secure foundation (using SDLC) not a house of cards. Could not more agree on that. Not being mentioned, ok not really as clear as you did but it is part of that "standard of good practice" .

One more very important tool IMO is outside auditing. Get a third party to review your setup at least and do consider getting a full pen test done. Don't just do it yourself. You'll keep missing your same blind spots.